Are you on top of your third-party data transfer exposure?
UK-based organisations have a lot to think about, given the global pandemic, fears of a double-dip recession and post-Brexit arrangements. It’s not surprising therefore that addressing data protection concerns – particularly around third-party personal data transfer – might not be top of the ‘to do’ list. However, it is important that UK-based organisations understand their responsibilities in this area, as potential financial and reputational sanctions could otherwise lie ahead.
There have significant developments in recent weeks, but the story starts back in July 2020 with the European Court of Justice’s decision to invalidate the EU-US Privacy Shield. This had the interesting by-product of calling into question the continued use of Standard Contractual Clauses (SCCs) for any personal data transfer outside of the EU.
The decision left organisations confused about how they would be able to transfer information legally in future. For entities based in the UK (and Europe), SCCs had been deemed a quick fix to ensure that personal information could be transferred internationally outside of the EU. Suddenly they were being told this potentially was no longer the case – unless an ‘assessment’ of the recipient country was completed in order to justify the continued use of the SCCs. The assessment would involve ensuring the jurisdiction had sufficient protections under EU law when personal data was sent there.
Brexit proceedings have added additional uncertainty, however over the Christmas and New Year period the UK and the EU finally agreed a deal. The key data protection issue before the deal was agreed surrounded data transfer and that the UK would be deemed a third country from a data protection perspective at the end of the transitional period on 31 December 2020. This would have restricted the free flow of personal data from the EU into the UK unless adequate safeguards were in place.
In fact the EU-UK Trade & Cooperation Agreement (TCA) provides for an interim period of up to 6 months from 1 January 2021 where any transfers from the EU to the UK shall not be considered a transfer to a third country i.e. nothing changes for this moment in time. The TCA actually states the interim period is initially for 4 months (until 30 April 2021) with a two month extension if required unless the UK or EU objects to this (until 30 June 2021).
Despite the Brexit deal being agreed, it included no reference to the UK being granted adequacy from a data protection standpoint. As it currently stands, the UK is still waiting on the decision of the European Commission to grant the UK ‘adequacy’ from a data protection perspective and the interim period of up to 6 months included in the TCA is seen by many as being the time required for the European Commission to approve this. The award of this adequacy status would mean that the free flow of personal data between the UK and the EU can continue without safeguards being required.
All these developments have the following repercussions for UK entities:
- They can continue to use the SCCs (see reference to redrafted SCCs below) as an acceptable safeguard for any exposure to international personal data transfer, but an assessment must be completed.
- From a Brexit standpoint, although up to a 6 month grace period has been granted from 1 January 2021, UK organisations still need to consider where they have exposure to personal data transfer coming from any jurisdictions inside the EU. Although the UK can continue to transfer personal data into the EU, until the UK receives the adequacy decision, any personal data transfer from the EU into the UK will need to be safeguarded against going forward, especially if adequacy is not granted to the UK subsequent to the interim period ending on 30 April 2021 (or 30 June 2021 if the extension is taken up).
Read our article BREXIT AGREEMENT – IMPLICATIONS FOR DATA PROTECTION
Fast forward to December 2020 and there have been a couple of developments primarily as a result of the decision to invalidate the EU-US Privacy Shield. UK companies are affected in the scenario of not only personal data transfer to or from a third country outside of the EU, but also any personal data transfer coming directly from the EU into the UK.
In November 2020, the European Data Protection Board issued recommendations on supplementary measures that an organisation needs to consider when undertaking an assessment of a jurisdiction. The guidance can be broken down into a number of steps as follows:
Step 1. Identify your international personal data transfer exposure and ensure that a transfer mechanism has been selected.
Step 2. Investigate and assess whether the third-party jurisdiction has sufficient non-EEA protections in place i.e. that there is nothing that would stop the organisation using the transfer mechanism that has been selected.
Step 3. If required, identify and adopt the supplementary measures in order to bring the level of protection of the third country up to the standards expected by the EU. These could be technical safeguards, contractual safeguards or organisational measures.
Another recent development affects the SCCs. As a result of the decision to invalidate the EU-US Privacy Shield, the SCCs have been redrafted to take account of the weaknesses identified during the judgement. The new versions incorporate stronger safeguards for personal data transfers into contracts.
The assessment guidance and redrafted SCCs remain open for comment until 21 December 2020. However, UK organisations can begin preparatory action to ensure ongoing compliance with data protection law and the ability to continue the legal transfer of personal data.
Until the guidance and redrafted SCCs are confirmed, here are our recommendations for immediate action:
- Fully understand your personal data flows across the organisation
- Identify which data flows brings an exposure to international personal data transfer
- Conclude on the transfer mechanism to be relied on for each transfer
- Identify where potentially an assessment and/or contractual changes will need to be made.
The legal landscape around data transfer is complex. It is extremely important for any UK-based organisation to identify where it is exposed and draw up a roadmap to address the associated risks. The Information Commissioner’s Office, as the UK regulator, will expect organisations to be on top of their compliance responsibilities.
Please do get in contact me if you would like to find out more on this subject or to have a more detailed discussion about how your organisation could be affected.